Pandora3 API.
8030942efcff25071ce70e4fae35b641d00477059eea10000242a30c56db48af Pandora Toolbox API
(c) Nomad Mobile Research Center
www.nmrc.org
_I_ What is all this about ?
_II_ Credits
_III_ Pandora API architecture
_IV_ The mother of all : Pan_glob.h
_V_ Ripped off ! Pan_file.h
_VI_ The hash and the pendulum. Pan_hash.h
_VII_ Netware, Bravo, do you copy ? Pan_com.h
_A_ Appendix A : error codes
_B_ Appendix B : physical file structures
_I_ What is all this about ?
Project Pandora was developped by o O O Simple Nomad O O o at the
NMRC to hack Novell premier product : Netware NDS. The project
initially permitted dictionary attacks and brute force attacks on
password's hash extracted from the NDS. Then more attacks were
added, involving Netware Core Protocol, and it became clear that
an API was needed to reduce the redundancy in the code, facilitate
algorithm emprovments, expand the project and permit others to
share the fun...
_II_ Credits
This API was made possible thanks to the work of many, that was carefuly
gathered and assembled here. Therefore the NMRC team, Imnsho - Jitsu-Disk -
Knobster - Simple Nomad - Up-uat, wishes to thanks the following people for
their (sometime unconscious) contributions...
o O O Eleete O O o
Greg Miller
Itsme
o O O Ideas & Support O O o
Al Grant
Denis. L
gOObER
Richard. P
Rx2
Thomas Lackner
o O O NCP Insight O O o
Adrian Cunnely
Eugene Illenchko & Gusev Igor
Fauzan Mirza
Sven B. Schreiber
o O O Low level IPX/DOS coding O O o
John R. McCawley III
Cap'n Hardgeus
Hotwarez LLC
_III_ Pandora API architecture
The Pandora API is fully written in C code using the free GNU compiler. It
supports big and little endian platforms, and requires DJGPP free GNU C to
compile under DOS/WIN/OS2 environment (available at www.delorie.com).
It is build as a set of shared libraries, each of them specialized in a
certain type of attack. As of Pandora v3 release the libraries are :
Pan_file.h : for manipulation of the NDS files and password hash extraction
Pan_hash.h : to play all sort of crypto games with the extracted hash
Pan_com.h : used to communicate on the network using NCP/IPX/Packet transport
In addition there is a common library which defines common types and routines
to all shared libraries : Pan_glob.h
Pan_file.h, Pan_hash.h and Pan_com.h are the headers you want to include in
your programs if you need to manipulate NDS/decipher/communicate with netware.
These files are only declaration headers, the source code is located in
subdirectories affiliated to them :
main-dir header file sub-dir source files
-------- ----------- ------- ------------
| Pan_file.h |---> p_file |-----> file_lib.c (Pandora interface)
| file_med.h (file manipul. code)
| file_low.h (NDS files struct)
|
| Pan_hash.h |---> p_hash |-----> hash_lib.c (Pandora interface)
| hash_med.h (crypto routines)
| hash_low.h (crypto algo)
pandora |
| Pan_com.h |---> p_com |-----> com_lib.c (Pandora interafce)
| com_med.h (TODO:IPX struct)
| low | com_dos.h (com for DOS only)
| level| com_lin.h (TODO:com for LINUX)
|
| Pan_glob.h |---> p_glob |-----> pandora.c (Pandora structures)
| globals.c (endian & unicode)
We separated in each library the code of the API functions themselves
(Pandora interafce) from the routines those API rely upon (_med and _low).
The separation of what is considered a "low" level code and "medium" level
code is arbitrary. If this looks a bit tortuous, a glance at a typical
makefile might help ;-)
--------------------------------<makefile>------------------------------------
# this makefile illustrate the use of all libraries in one prog.
# the prog is supposed to be in a directory under which we find the
# "pandora" directory and all its subordinates.
CC = gcc # your favorite compiler
CFLAGS = -O3 -funroll-all-loops -fforce-mem # Optimization options
# following declarations will cause the compiler to build the libraries
# if not already compiled
PAN_GLOB = pandora\\p_glob\\pandora.o pandora\\p_glob\\globals.o
PAN_HASH = pandora\\p_hash\\hash_lib.o
PAN_FILE = pandora\\p_file\\file_lib.o
PAN_COM = pandora\\p_com\\com_lib.o
# invoking 'make' or 'make myprog' will build nwhack
myprog: nwhack
all: nwhack
# compil macro
.c.o:
$(CC) $(CFLAGS) $(DEFINES) -c $< -o $@
# your stuff that requires all libraries
nwhack: nwhack.o $(PAN_FILE) $(PAN_HASH) $(PAN_COM) $(PAN_GLOB)
nwhack.o: nwhack.c
#sample :
#
#myprog: myprog.o [$(__PAN__HEADER_I_USED__) ...] $(PAN_GLOB)
# myprog.o: myprog.c
#
# this makefile is found in the directory: mydirectory
# project pandora files are found under mydirectory\pandora
# linking $(PAN_GLOB) is always required since used by all shared lib
-------------------------------------><---------------------------------------
The start of nwhack.c source as you may expect ...
--------------------------------<nwhack.c>------------------------------------
#include "pandora\pan_file.h"
#include "pandora\pan_hash.h"
#include "pandora\pan_com.h"
/* include "pandora\pan_glob.h" not required since already included
by above shared libraries */
...
------------------------------------><----------------------------------------
Also note that a special care was taken to wrap all C headers so you could
include them in C++ progs (if you dare ;-) ).
O.K now you have a pretty good idea on how to build your prog with Pandora
facility, so lets get into real trouble and see what exactly you can do with
it...
First off we need to talk about Pan_glob.h .
_IV_ The mother of all : Pan_glob.h
Initially project Pandora was designed to extract users info and password
hash from Novell's NDS files and permit password recovery through brute force
or dictionary attack (see inside.txt).
The ripped info from NDS being saved in a file called PASSWORD.NDS, and the
"save state" of a brute force attempt in RESTORE.PAN; thus permitting via
manipulation (manipul8) to spread the attack over multiple computers.
The API offers two memory structure that duplicates the contents of these
files, in order to avoid the boredom of dealing with the physical access in
each program. Also those structures permit to pass info to and from the
functions of the API.
Some variables have been added in comparison to v2, so to take care
(hopefully) of new and future needs. This is a very sensitive part of the
API since all modification renders Pandora files incompatible between two
versions (not ment to be a database) but you could write a prog to
convert the files between the various versions if you really need to.
------------------------------<Global Structures>-----------------------------
typedef unsigned char uint8; /* one byte */
typedef unsigned short uint16; /* one 16bit word */
typedef unsigned long uint32; /* one 32bit word */
typedef unsigned int unicode; /* depends on system may be 16 or 32 bit */
typedef struct pan_passlist
{
uint32 bind; /* Bindery type of object */
uint32 id; /* Object ID from ENTRY */
uint32 parentID; /* Parent ID */
uint32 objectID; /* Object ID from Private Key */
uint32 pwlen_known; /* TRUE or FALSE */
uint32 pwlen; /* Password length of user account */
uint32 pwhash_known; /* TRUE or FALSE */
uint8 hash[16]; /* One-way hash */
uint8 userOU[40]; /* OU of User, stored in unicode */
uint8 userCN[258]; /* User common name, unicode */
struct pan_passlist *next;
} *Pan_PassList;
typedef struct pan_passhack
{
uint32 bind; /* Bindery type of object */
uint32 id; /* Object ID from ENTRY */
uint32 parentID; /* Parent ID */
uint32 objectID; /* Object ID from Private Key */
uint32 pwlen; /* Password length currently tested */
uint8 pw_first[128]; /* Passwd used to initialize the hack */
uint8 pw_current[128]; /* Current attempt */
uint8 pw_last; /* Max for pw_current[0] */
uint8 hash[16]; /* One-way hash if set to 0 => unknown */
uint8 userOU[40]; /* OU of User, stored in unicode */
uint8 userCN[258]; /* User common name, stored in unicode */
} Pan_PassHack;
------------------------------------><----------------------------------------
Pan_PassList declaration : Pan_PassList pPassList;
All variables are pretty self explainatory, just for the record :
'bind' contains the bindery type of the object (if exist) and is stored in
big endian format since we exclusively use it when communicating with
a server which requires that format. Here are listed some common
bindery types, not all types holds a password though :
Description Value 'bind' value
----------------------------------------------------------
Unknown 0 0x0000
User 1 0x0100
User Group (container) 2 0x0200
Print Queue 3 0x0300
File Server 4 0x0400
Job Server 5 0x0500
Gateway 6 0x0600
Print Server 7 0x0700
Archive Queue 8 0x0800
Archive Server 9 0x0900
Job Queue 10 0x0a00
Administration 11 0x0b00
Remote Bridge Server 38 0x2600
Advertising Print Server 71 0x4700
Btrieve Server 75 0x4B00
RSPCX Server (Rconsole) 263 0x0701
HP Jet-Printer 780 0x0C03
Cheyenne ArcServe 1100 0x4c04
Reserved up to 32768 0x0080
Wild -1 0xffff
'pwlen_known' is set to YES when the lengh of the real password is known.
'pwhash_known' is set to YES when we know the real hash of a user.
Also you've probably noticed that pPassList is a chained list and therefore
requires memory allocation, and memory release when done, see Global Functions
for this. Adding a new element or searching a new element in the list is very
simple, for illustration check the code in nds_io.c/manipul8.c . Here's a
simple sketch that represents how PASSLIST records are stored in memory :
Pan_PassList pPassList;
*
*
---------------------------------------------------------------------
| <root> <first-rec> <last-rec> |
| |
| pPassList |
| | |bind |
| |______>|id |bind |
| |parentID |id | |
| |objectID |parentID | |
| |... |objectID | |
| |next------->|... | |
| |next------->...| |
| |next------->(NULL) |
|_____________________________________________________________________|
Pan_PassHack declaration : Pan_PassHack pPassHack;
This is a regular structure, it is use for brute force and for passing info
from function to function, depending on the function you're calling not all
fields are required. Check Global Functions for passing info from a pointer
on pPassList to a pPassHack structure.
The pw* variables are worhty a word of explaination :
'pwlen' contains the current testing size of for the password may it be the
real one or not, 'pw_first' and 'pw_current' must be of that size.
'pw_first' is the initializing password, and is also the "upper-limit" when
used in the brute force.
'pw_current' is the last saved attempt in a brute force and the starting
point of a restored brute force. It allows to spread a brute
force over multiple computers. 'pw_current' canno't be "before"
'pw_first' in regards of the following key order :
************************************************************************
* ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789,./<>?;':\"[]{}`~!@#$%^&*()_-+=| *
************************************************************************
'pw_last' is only one character and gives the "lower_limit" to pw_current[0]
for instance if we're doing a brute force that pwlen=5, pw_first=AAAAA,
pw_current=<not set>, pw_last=Z and brute force range is ALPHANUMERIC,
the first attempt will be AAAAA and the last possible attempt is Z9999.
-----------------------------<Global Functions>-------------------------------
/* Dump unicode to screen, for DOS/Shell use only
name is a pointer on the unicode string, j the unicode lengh.
*/
void printUnicodeName(char *name, int j);
/* Endian conversion routines, for shared lib use. These routines are usefull
in two situations : when sending WORDS over the wire and when dealing with
little endian/big endian problem.
*/
uint32 swap_uint32(uint32 n); /* uint32 BIG<->LITTLE Endian */
uint16 swap_uint16(uint16 n); /* uint16 BIG<->LITTLE Endian */
/* Memory alloc/desalloc routinesfor Pan_PassList chained list */
/* Usage : Pan_PassList pPassList=Pan_PassList_alloc();
allocates memory for 1 record; to acces information use for ex.
pPassList->bind, to create a new record (q being a pointer on the last
record) q->next=Pan_PassList_alloc();
*/
Pan_PassList Pan_PassList_alloc(void);
/* Usage : Pan_PassList_free(pPassList);
free the memory of a PassList structure starting from the specified
pointed record (usually set on root).
*/
void Pan_PassList_free(Pan_PassList pPassList);
/* Pan_PassList / Pan_PassHack exchange of information */
/* Usage : Pan_PassList_to_PassHack(pPassList,&pPassHack);
fill a PassHack record with current PassList pointed info, PassHack fields
that dosen't exist in PassList are kept unchanged.
*/
void Pan_PassList_to_PassHack(Pan_PassList pPassList,Pan_PassHack *pPassHack);
-------------------------------------><---------------------------------------
As an illustration lets comment a simple routine that reads from a "PASSWORD"
file containing the extracted NDS info, that checks for a specific name, and
finally that stores the matching record in a "PASSHACK" structure :
----------------------------------<Ex_1.c>------------------------------------
/*Some function calls uses the Pan_file.h library described below*/
Pan_PassList pPassList,q;
Pan_PassHack pPassHack;
...
/*read from the PASSWORD file previously build using the NDS files*/
/*and copy the file into the Pan_PassList chained-list structure*/
err=Pan_PassList_read("PASSWORD.NDS",&pPassList);
if (err) {printf("err : %d",err); /*check the return code*/
exit(-1);
}
/*check records one after the other until the name is found or the end of*/
/*the list is reached. We use a temporary pointer so not to screw up our*/
/*root-list (pPassList) pointer*/
for (q=pPassList;q!=NULL;q=q->next)
{FOUND=TRUE;
for (i=0;i<strlen(account);i++)
{t=i*2+6; /*takes care of Unicode format. Skips 'C N = ' */
if (account[i]!=q->userCN[t]) FOUND=FALSE;
}
if (FOUND==TRUE) break;
}
/*checks for the result : if q==NULL, we've reached the end of the list*/
/*without finding what we looked for*/
if (!q)
{printf("%s not found in password file.\n",account);
Pan_PassList_free(pPassList);
exit(1);
}
/*From hereon we won't use the pPassList structure anymore, so we free the*/
/*memory it's using. The record we found is copied in a Pan_PassHack*/
/*structure*/
Pan_PassList_to_PassHack(q,&pPassHack);
Pan_PassList_free(pPassList);
...
-------------------------------------><---------------------------------------
If you want to develop with the Pandora Toolbox it is essential that you
really master the Pan_glob.h functions and prototypes since the same system
is applied throughout the project. Read the code...
Now that the plot is set, it's about time to see what the shared lib can
really do for us.
__V__ Ripped off ! Pan_file.h
The aim of this library is a twofold : extract info from the NDS files and
save&read from the Pandora files. For the first issue check 'inside.txt'.
The Pandora files are of two types : one is a list of all users extracted
from the original NDS files (physical companion to Pan_PassList called
PASSLIST), and the other represent the "save-state" of a current "work" on a
specific user (physical equivalent to Pan_PassHack called PASSHACK).
When extracting information from the NDS files, data are stored in a
Pan_PassList structure, this list can then be saved to disk; with the
exeption of 'Pan_Convert(...)' which converts a BACKUP.DS file into the
original '.NDS' files, no function in the shared lib makes direct disk access
to the Pandora files (except for the R/W functions of those files, of course).
Pan_PassList related functions :
- Pan_Extract_NDS(...) extracts all NDS objects of type USER which *have* a
hash in the .NDS files
- Pan_Extract_Bindery(...) extracts all NDS objects of type BINDERY which
*have* a hash in the NDS files (ex. SUPERVISOR)
- Pan_PassList_read(...) reads the content of a physical PassList file into a
Pan_PassList structure. The structure need Not be
initialized (mem alloc) before the call.
- Pan_PassList_write(...) writes the content of a PassList starting from a
given pointer in the list, if the given file name
already exists, the file is overwritten.
Pan_PassHack related functions :
- Pan_PassHack_read(...) reads the content of of physical PassHack record
into a PassHack structure.
- Pan_PassHack_write(...) writes the content of a PassHack structure in a
given file (if exists, is overwritten)
If you have compiled your program and the libraries with -DBIG_ENDIAN switch
because you have a big endian processor, you can still use and exchange
Pandora files produced on little endian platforms, conversion is taken care
of automatically.
For return codes see Apendix A.
-----------------------------<Files Functions>-------------------------------
/* Read/Write the NDS related information */
/* Usage : err=Pan_Convert("f:\system\")
convert BACKUP.DS in ENTRY.NDS, VALUE.NDS, PARTITIO.NDS, BLOCK.NDS
return an error if a problem occured, .DS/.NDS files in specified dir by
the path parameter. Closing back-slash is required, current directory is
specified by : ".\"
*/
int Pan_Convert_DS(char *path);
/* Usage : err=Pan_Extract_NDS(&pPassList,"f:\nds\")
return an error if a problem occured, read NDS information from the .NDS
files in the specified dir; the chained records are stored in pPassList,
the last record has 'next==NULL'. The same rules applies for the path
parameter as in Pan_Convert_DS(...).
*/
int Pan_Extract_NDS(Pan_PassList *pPassList, char *path);
/* Usage : err=Pan_Extract_Bindery(&pPassList,"f:\nds\")
return an error if a problem occured, read Bindery information from the .NDS
files in the specified dir; the chained records are stored in pPassList,
the last record has 'next==NULL'. The same rules applies for the path
parameter as in Pan_Convert_DS(...).
*/
int Pan_Extract_Bindery(Pan_PassList *pPassList, char *path);
/* Pandora files I/O */
/* Usage : err=Pan_PassList_read("PASSNAME.EXT",&pPassList)
Read and copy the records in a PASSLIST file to Pan_PassList structure.
The Pan_PassList structure (pPassList) need not be initialized.
*/
int Pan_PassList_read(char *readfile,Pan_PassList *pPassList);
/* Usage : err=Pan_PassList_write("PASSNAME.NDS",pPassList)
Writes the content of a Pan_PassList structure to a PASSLIST file.
The last 'PassList' record in the list MUST have 'next=NULL'.
*/
int Pan_PassList_write(char *writefile,Pan_PassList pPassList);
/* Usage : err=Pan_PassHack_read("WHATEVER.EXT",&pPassHack)
Read and copy the record of a PASSHACK file to Pan_PassHack structure.
*/
int Pan_PassHack_read(char *readfile,Pan_PassHack *pPassHack);
/* Usage : err=Pan_PassHack_write("WHATEVER.EXT",&pPassHack)
Writes the content of a Pan_PassHack structure to a PASSLIST file record.
*/
int Pan_PassHack_write(char *writefile,Pan_PassHack *pPassHack);
-------------------------------------><---------------------------------------
_VI_ The hash and the pendulum. Pan_hash.h
Novell private hash routine was a glorious attempt to build a proprietary
algorithm that was meant to provide all sorts of tricks : a secure way to
store passwords, a secure algorithm to wrap new cyphers with old cyphers when
changing password and a non-trivial yet fast random-like generator (for packet
signature for instance). The algorithm provided all of the above, but yet
wasn't exempt, due to its concept or implementation, of serious weakness
some we try to exploit here. For a more detailed discussion on the core
algorithm see crypto.txt.
Although Novell has introduced RSA in Netware 4.xx as part of the
authentification scheme, many games can still be played using old bindery
calls, and yet the core algorithm for hash generation remains the same.
Five routines are provided here, two for password hacking and three for hash
generation.
Pan_Brute_Force(...) will attempt to recover someone's password given his
hash and object ID by testing all possible passwords in a given test range.
Note that due to the hashing algorithm, we do not make use of lower-case
caracters (and this makes me wonder how possibly Novell can advertise the use
both lower-case and upper-case caracters as a security improvement to your
password secrecy, see : http://www.novell.com/products/nds/hacks2.html).
Since we use a fast-hash generator, lengh of password to recover canno't
exeed 16 caracters.
Pan_Dict_Attack(...) this routine also attempts to recover a password given
a user's object ID and hash, by testing the hash against all words of a
determined lengh in a 'dictionary' file. This routine also make use of the
fast-hash generator, thus lengh of password to recover canno't exeed 16
caracters.
Pan_Hash_Gen(...) this routine permit to generate a password hash given the
clear-text password and the user's object ID. The routine accepts passwords
up to the maximum legal lengh : 128 caracters.
Pan_Challenge_Response(...) this routine, given a Login Key and a user's
password, computes the resulting Challenge Response. The password can be
given either plaintext with the user's object ID or pre-processed as the
password hash. This routine is used whenever a password must be transmitted
over the wire to a Netware server. For details on the Challenge Response
scheme see the Netware Hack FAQ.
Pan_3hash_cipher(...) this routine is used when changing a password : the user
old password hash (16bytes) is cut in two halves (8bytes) and each halves is
processed in a mathematical function such as :
Func(old-pass-half1,new-pass-half1)=cipher-half1;
Func(old-pass-half2,new-pass-half2)=cipher-half2;
So that when both cipher-halves are transmited, the server can process :
Reverse-Func(cipher-half1,old-pass-half1)=new-pass-half1;
Reverse-Func(cipher-half2,old-pass-half2)=new-pass-half2;
It looks like a simple XOR Func could do the trick, but Novell used a complex
algorithm, probably so that nothing could be deducted knowing the cipher and
the new password hash alone.
They are a few more algorithms used by Netware servers, keep tuned ...
For return codes see Apendix A.
------------------------------<Hash Functions>--------------------------------
/* Password Hacking */
/* Usage : err=Pan_Brute_Force(&pPassHack,PAN_ASCII,&retpw,"RESTORE.PAN");
The first argument is the pPassHack structure that MUST contain valid
values for the following :
objectID, object ID of user
0< pwlen <=16, lengh of password to generate (brute force only lengh<=16)
pw_first, the 'seed' password to start the brute force with
If pw_last is not set, it is given the value of pw_first[0] thus ensuring
that we try all possible combination for that given password lengh.
The second argument allows to 'segment' the brute force by telling how many
attempts the routine should perform, regardless of pPassHack settings,
before the brute-force routine returns to the calling program. Once
returned the brute force can be restored transparently since the last
attempt is stored in pw_current. This permits to give a status on the brute
force on a regular basis, and to fine tune how often things should be saved
to disk for instance.
The third parameter will contain the real password if found. It is not
required to initialize it (memory alloc), but it should be freed after use.
The last parameter is the "limit" in the word-list for the brute force,
the word list being :
************************************************************************
* ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789,./<>?;':\"[]{}`~!@#$%^&*()_-+=| *
************************************************************************
for instance if we're doing a brute force that pwlen=5, pw_first=AAAAA,
pw_current=<not set>, pw_last=Z and brute force range is ALPHANUMERIC,
the first attempt will be AAAAA and the last possible attempt is Z9999.
Finally the return value here may be other things than errors : if it
contains (NULL) password was found, -105 if not found, -106 if time to save
(parameter two 'maxtry' reached).
*/
#define PAN_ASCII 25
#define PAN_ALPHANUM 35
#define PAN_KEYSPACE 66
int Pan_Brute_Force(Pan_PassHack *pPassHack,
int maxtry,
char **retpw,
uint32 limit
);
/* Usage : err=Pan_Dict_Attack(&pPassHack,&retpw,dict);
The first argument is the pPassHack structure that MUST contain valid
values for the following :
objectID, object ID of user
0< pwlen <=16, lengh of password to try from dictionary, since we use the
same fast-hash test as in the brute force, lengh is limited
to 16 characters.
The second parameter will contain the real password if found. It is not
required to initialize it (memory alloc), but it should be freed after use.
The last argument is the dictionary file to read from, if no path is
specified, current directory is assumed.
If the return value is (NULL) the password was found.
*/
int Pan_Dict_Attack(Pan_PassHack *pPassHack,char **retpw,char *readfile);
/* Password Generation */
/* Usage : err=Pan_Hash_Gen(&pPassHack);
The argument is the pPassHack structure that MUST contain valid values for
the following :
objectID, object ID of user
0<= pwlen <=128, lengh of password in pw_first (netware max lengh : 128)
pw_first, password to hash for the specified objectID
If the hash generation was succesfull, (NULL) is returned and
pPassHack.hash holds the password's hash.
*/
int Pan_Hash_Gen(Pan_PassHack *pPassHack);
/* Usage : err=Pan_Challenge_Response(&pPassHack,TRUE,&logkey,&dst);
The first argument is the pPassHack structure that MUST contain valid values
for the following :
objectID, object ID of user
|If argument two is FASLE
| 0<= pwlen <=128, lengh of password in pw_first (netware max lengh : 128)
| pw_first, password to use to generate hash for the specified objectID
OR
|If argument two is TRUE
| hash, the hash to use for that objectID
The third argument is the login key returned by the server, which is used to
generate the second hash from the first hash.
That second hash, which is the challenge response, is stored in the fourth
argument, a uint8 [8]. If no problem occured, the return value is (NULL).
*/
int Pan_Challenge_Response
(Pan_PassHack *Info,int hash_known,uint8 *logkey, uint8 *dst);
/* Usage : err=Pan_3hash_cipher(oldcipher,newcipher,newcipher);
oldcrpw : current password hash
newcrpw : new password hash
cipherpw : the returned cipher such as reverse-func(cipher,oldcrpw)=newcrpw
*/
int Pan_3hash_cipher(uint8 *oldcrpw,uint8 *newcrpw,uint8 *cipherpw);
-------------------------------------><---------------------------------------
_VII_ Netware, Bravo, do you copy ? Pan_com.h
In Networking Software, there is obviously Network ;-) And many funny tricks
can be build over the wire. The routines presented here gives a crude but
working interface to your progams for the following : sending packet-level
information (allows spoofing), sending NCP requests/replies, connecting to a
Netware server.
At the time this doc is written full IPX send/receive support is in the
process of being implemented.
The programs code released with Pandora gives unvaluable information, that
was collected from the work of many hackers, on the way to communicate with
a Netware server. Sparse but good documentation on how to perform specific
NCP/IPX requests/replies can be found electronically and in specialised
libraries; And for the sake of it, lets briefly describe what a typical NCP
request looks like in a Ethernet 802.3 frame format :
Description bytes byte order
-----------------------------------------|------------|------------
>802.3 frame header< | |
| |
MAC adress of dest. (router/server) | 0 -> 5 | Normal
MAC adress of origin (station) | 6 -> 11 | Normal
Physical lengh of packet (end-14) | 12 -> 13 | Reversed
| |
>Internetwork Packet Exchange< | |
| |
Checksum (0xffff=no checksum) | 14 -> 15 | ??
Packet total lengh (=Physical lengh-1) | 16 -> 17 | Reversed
Hop count (nb of routers btw org/serv) | 18 | Normal
Packet type (=0x11 is NCP, 0x17 is NDS) | 19 | Normal
Destination IPX net (server net) | 20 -> 23 | Normal
Destination IPX adress (server adress) | 24 -> 29 | Normal
Destination socket (=0x0451 is NCP) | 30 -> 31 | Normal
Originator IPX net | 32 -> 35 | Normal
Originator IPX adress | 36 -> 41 | Normal
Originator socket (=0x40?? usually) | 42 -> 43 | Normal
| |
>NCP request/reply header< | |
| |
Request type (=0x2222 req./=0x3333 rep.)| 44 -> 45 | Normal
Sequence num (+1 each for req., 0<->255)| 46 | Normal
Connection number LOW | 47 | N/A
Task number (for internal use of org.) | 48 | Normal
Connection number HIGH (0 if conn.<255) | 49 | N/A
Function code (=0x68 IPX/=other NCP ??) | 50 | Normal
| |
---------------------Ex. if Function code is NCP-------------------
| |
>NCP data< | |
| |
Subfunction lengh (0x0001 usually) | 51 -> 52 | Normal
Subfunction code (action to perform) | 53 | Normal
Data (if exists) | 54 ->end_1| Usually
| | reversed
---------------------Ex. if Function code is IPX-------------------
| |
>IPX data< | |
| |
Request (=0x02 is fragmented req./rep.) | 51 | Normal
Fragment handle (=0xffffffff if null) | 52 -> 55 | ??
Max frag. size (=0x02020000 usually) | 56 -> 59 | Reversed
Total data lengh (incl. all frag.) | 60 -> 63 | Reversed
Fragment flag (=0x00000000 if null) | 64 -> 67 | ??
Verb number (action to perform) | 68 -> 71 | Reversed
Reply buffer size (=0x00000000 if null) | 72 -> 75 | Reversed
Data (if exists) | 76 ->end_1| Usually
| | reversed
-------------------------------------------------------------------
| |
>Packet signature< | |
| |
If signature is level_1 Wild-Pad |end_1 -> end|
0xffffffffffffffff is accepted |end=end_1+7 |
If signature is level_2 or higher | (8 bytes) |
real signature is base on user hash | |
The function you want to use to send packet like this is : Pan_NCP_Spoof(...)
of course, other type than NCP packet can be sent and you're not obliged to
spoof your adress, but the name was kinda cool ;-) This function is only
available if you have installed a packet driver on interrupt 0x60, don't
forget the '-n' switch if you use Novell 802.3 frame format.
If you need to send a regular NCP request/reply, use Pan_NCP_Transmit(...),
examples to use Pan_NCP_Transmit(...) can be found inside the Pandora code,
the "function code" to call is the first parameter, the second parameter is
the data to send (seen above as >NCP data< or >IPX data<).
A function called Pan_NCP_connect(...) is also provided to connect to a
Netware server (although you could do it through the appropriate call with
Pan_NCP_transmit(...)).
Our aim here is not to describe all possible NCP/IPX packets that can be
generated. Just be aware that for NCP, Function code+Subfunction code defines
the request, for IPX, Request+Verb number defines the request. As you have
noticed, IPX requests are encapsulated in NCP headers, this is probably due
to the fact that NCP stuff existed on Netware servers before IPX which was
later used for requests that had to be spread over multiple packets.
Below is a list of well none NCP Function/Subfunction codes, this list is NOT
exhaustive and dosen't include IPX requests. Detailed parameters for most of
these function calls can be found in the NCP interrup list document at :
http://www.tsu.ru/~eugene/netware/archive/index.html
NCP call description Function Subfunc.
(hex) (hex)
----------------------------------------------------------------------------
ABORT SERVICING QUEUE JOB AND FILE | 17 | 84
ABORT SERVICING QUEUE JOB AND FILE OLD | 17 | 73
ADD AUDIT PROPERTY | 58 | 02
ADD BINDERY OBJECT TO SET | 17 | 41
ADD TRUSTEE SET TO NS ENTRY | 57 | 0A
ADD TRUSTEE TO DIRECTORY | 16 | 0D
AFP ALLOC TEMPORARY DIR HANDLE | 23 | 0B
AFP CREATE DIRECTORY | 23 | 01
AFP CREATE FILE | 23 | 02
AFP DELETE | 23 | 03
AFP GET ENTRY ID FROM NAME | 23 | 04
AFP GET ENTRY ID FROM NETWARE HANDLE | 23 | 06
AFP GET ENTRY ID FROM PATH NAME | 23 | 0C
AFP GET FILE INFORMATION | 23 | 05
AFP OPEN FILE FORK | 23 | 08
AFP RENAME | 23 | 07
AFP SCAN FILE INFORMATION | 23 | 0A
AFP SET FILE INFORMATION | 23 | 09
AFP 20 CREATE DIRECTORY | 23 | 0D
AFP 20 CREATE FILE | 23 | 0E
AFP 20 GET DOS NAME ENTRY ID | 23 | 12
AFP 20 GET FILE | 23 | 0F
AFP 20 GET MACINTOSH INFO ON DELETED FILE | 23 | 13
AFP 20 SCAN FILE INFORMATION | 23 | 11
AFP 20 SET FILE INFORMATION | 23 | 10
ALLOCATE PERMANENT DIRECTORY HANDLE | 16 | 12
ALLOCATE RESOURCE | 0F | 00
ALLOCATE SPECIAL TEMPORARY DIRECTORY HANDLE | 16 | 16
ALLOCATE TEMP NS DIR HANDLE | 57 | 0C
ALLOCATE TEMPORARY DIRECTORY HANDLE | 16 | 13
ALLOW TASK ACCESS TO FILE | 4E | 00
ATTACH QUEUE SERVER TO QUEUE | 17 | 6F
BROADCAST TO CONSOLE | 15 | 09
CHANGE AUDIT LEVEL TWO PASSWORD | 58 | 12
CHANGE AUDITOR PASSWORD | 58 | 04
CHANGE BINDERY OBJECT PASSWORD | 17 | 40
CHANGE BINDERY OBJECT PASSWORD ENCRYPTED | 17 | 4B
CHANGE BINDERY OBJECT SECURITY | 17 | 38
CHANGE CONNECTION STATE | 17 | 1D
CHANGE PROPERTY SECURITY | 17 | 3B
CHANGE QUEUE JOB ENTRY | 17 | 7B
CHANGE QUEUE JOB ENTRY OLD | 17 | 6D
CHANGE QUEUE JOB POSITION | 17 | 7C
CHANGE QUEUE JOB POSITION OLD | 17 | 6E
CHANGE QUEUE JOB PRIORITY | 17 | 82
CHANGE TO CLIENT RIGHTS | 17 | 85
CHANGE TO CLIENT RIGHTS OLD | 17 | 74
CHANGE USER PASSWORD | 17 | 01
CHECK AUDIT ACCESS | 58 | 05
CHECK AUDIT LEVEL TWO ACCESS | 58 | 16
CHECK CONSOLE PRIVILEGES | 17 | C8
CHECK PIPE STATUS | 15 | 08
CLEAR CONNECTION NUMBER | 17 | FE
CLEAR CONNECTION NUMBER OLD | 17 | D2
CLEAR FILE | 07 | 00
CLEAR FILE SET | 08 | 00
CLEAR LOGICAL RECORD | 0B | 00
CLEAR LOGICAL RECORD SET | 0E | 00
CLEAR PHYSICAL RECORD | 1E | 00
CLEAR PHYSICAL RECORD SET | 1F | 00
CLEAR VOLUME RESTRICTIONS | 16 | 22
CLOSE AND QUEUE CAPTURE FILE | 11 | 01
CLOSE BINDERY | 17 | 44
CLOSE EXTENDED ATTRIBUTE HANDLE | 56 | 01
CLOSE FILE AND START JOB QUEUE | 17 | 7F
CLOSE FILE AND START JOB QUEUE OLD | 17 | 69
CLOSE MESSAGE PIPE | 15 | 07
CLOSE OLD AUDITING FILE | 58 | 14
CLOSE SEMAPHORE OLD | 20 | 04
CLOSE SEMAPHORE | 6F | 04
COMMIT FILE | 3B | 00
CONVERT PATH TO DIRECTORY ENTRY | 17 | F4
CREATE BINDERY OBJECT | 17 | 32
CREATE DIRECTORY | 16 | 0A
CREATE NEW FILE | 4D | 00
CREATE PROPERTY | 17 | 39
CREATE QUEUE | 17 | 64
CREATE QUEUE JOB AND FILE | 17 | 79
CREATE QUEUE JOB AND FILE OLD | 17 | 68
DEALLOCATE DIRECTORY HANDLE | 16 | 14
DEALLOCATE RESOURCE | 10 | 00
DELETE BINDERY OBJECT | 17 | 33
DELETE BINDERY OBJECT FROM SET | 17 | 42
DELETE DIRECTORY | 16 | 0B
DELETE NS ENTRY | 57 | 08
DELETE OLD AUDITING FILE | 58 | 15
DELETE OLD AUDITING FILE 2 | 58 | 1A
DELETE PROPERTY | 17 | 3A
DELETE TRUSTEE | 16 | 2B
DELETE TRUSTEE FROM DIRECTORY | 16 | 0E
DELETE TRUSTEE SET FROM NS ENTRY | 57 | 0B
DESTROY QUEUE | 17 | 65
DETACH QUEUE SERVER FROM QUEUE | 17 | 70
DISABLE AUDITING ON VOLUME | 58 | 07
DISABLE STATION BROADCASTS | 15 | 02
DISABLE FILE SERVER LOGIN | 17 | CB
DISABLE TRANSACTION TRACKING | 17 | CF
DOWN FILE SERVER | 17 | D3
DS CHANGE AUDIT LEVEL TWO PASSWORD | 68 | D7
DS CHANGE AUDITOR PASSWORD | 68 | CB
DS CHANGE OBJECT AUDITED | 68 | DD
DS CHECK AUDIT ACCESS | 68 | CC
DS CHECK AUDIT LEVEL TWO ACCESS | 68 | DB
DS CHECK OBJECT AUDITED | 68 | DC
DS CLOSE FRAGMENT | 68 | 03
DS CLOSE OLD AUDITING FILE | 68 | D9
DS DELETE OLD AUDITING FILE | 68 | DA
DS DELETE OLD AUDITING FILE 2 | 68 | E1
DS DISABLE AUDITING ON CONTAINER | 68 | CE
DS ENABLE AUDITING ON CONTAINER | 68 | CF
DS GET AUDIT FILE LIST | 68 | DE
DS GET AUDITING FLAGS | 68 | D8
DS GET DS STATISTICS | 68 | 06
DS GET CONTAINER AUDIT STATUS | 68 | C8
DS INIT AUDIT FILE READ | 68 | DF
DS LOGIN AS CONTAINER AUDITOR | 68 | CA
DS LOGOUT AS CONTAINER AUDITOR | 68 | D3
DS MONITOR CONNECTION | 68 | 05
DS PING FOR NDS NCP | 68 | 01
DS READ AUDIT CONFIG HEADER | 68 | D1
DS READ AUDITING FILE | 68 | D2
DS READ AUDITING FILE 2 | 68 | E0
DS READ AUDITING FILES | 68 | 15
DS RELOAD | 68 | 08
DS RESET AUDIT HISTORY FILE | 68 | D5
DS RESET AUDITING FILE | 68 | D4
DS RESET DS COUNTERS | 68 | 07
DS RETURN BINDERY CONTEXT | 68 | 04
DS SEND FRAGMENTED REQUEST REPLY | 68 | 02
DS SET AUDIT PASSWORD | 68 | E5
DS WRITE AUDIT CONFIG HEADER | 68 | D6
DUPLICATE EXTENDED ATTRIBUTE | 56 | 05
ENABLE AUDITING ON VOLUME | 58 | 08
ENABLE STATION BROADCASTS | 15 | 03
ENABLE FILE SERVER LOGIN | 17 | CC
ENABLE TRANSACTION TRACKING | 17 | D0
END OF JOB | 18 | 00
ENTER LOGIN AREA | 17 | 0A
ENUMERATE EXTENDED ATTRIBUTE | 56 | 04
ERASE FILES | 44 | 00
EXAMINE SEMAPHORE OLD | 20 | 01
EXAMINE SEMAPHORE | 6F | 01
FILE CLOSE | 42 | 00
FILE COMMIT | 3D | 00
FILE COPY | 4A | 00
FILE CREATE | 43 | 00
FILE DM REQUEST | 5A | 96
FILE OPEN | 41 | 00
FILE READ | 48 | 00
FILE RELEASE LOCK | 02 | 00
FILE RENAME | 45 | 00
FILE SEARCH CONTINUE | 3F | 00
FILE SEARCH INITIALIZE | 3E | 00
FILE SET LOCK | 01 | 00
FILE WRITE | 49 | 00
FILL NAME SPACE BUFFER | 16 | 2F
FINISH SERVICING QUEUE JOB AND FILE | 17 | 83
FINISH SERVICING QUEUE JOB AND FILE OLD | 17 | 72
GET ACCOUNT STATUS | 17 | 96
GET ACTIVE CONNECTION LIST BY TYPE | 7B | 0E
GET ACTIVE LAN BOARD LIST | 7B | 14
GET ACTIVE PROTOCOL STACKS | 7B | 28
GET AUDIT FILE LIST | 58 | 17
GET AUDITING FLAGS | 58 | 13
GET BIG PACKET NCP MAX PACKET SIZE | 61 | 00
GET BINDERY ACCESS LEVEL | 17 | 46
GET BINDERY OBJECT ACCESS LEVEL | 17 | 48
GET BINDERY OBJECT DISK SPACE LEFT | 17 | E6
GET BINDERY OBJECT ID | 17 | 35
GET BINDERY OBJECT NAME | 17 | 36
GET BROADCAST MESSAGE | 15 | 01
GET BROADCAST MESSAGE EX | 15 | 0B
GET CACHE INFORMATION | 7B | 01
GET CONNECTION LIST FROM OBJECT | 17 | 1F
GET CONNECTION OPEN FILES | 17 | EB
GET CONNECTION OPEN FILES OLD | 17 | DB
GET CONNECTION SEMAPHORES | 17 | F1
GET CONNECTION SEMAPHORES OLD | 17 | E1
GET CONNECTION TASK INFORMATION | 17 | EA
GET CONNECTION TASK INFORMATION OLD | 17 | DA
GET CONNECTION USAGE STATISTICS | 17 | E5
GET CONNECTIONS USING A FILE | 17 | EC
GET CONNECTIONS USING A FILE OLD | 17 | DC
GET CPU INFORMATION | 7B | 08
GET DIR ENTRY | 16 | 1F
GET DIR INFO | 16 | 2D
GET DIRECTORY BASE | 57 | 16
GET DIRECTORY CACHE INFORMATION | 7B | 0C
GET DIRECTORY PATH | 16 | 01
GET DISK CACHE STATISTICS | 17 | D6
GET DISK CHANNEL STATISTICS | 17 | D9
GET DISK UTILIZATION | 17 | 0E
GET DM INFO | 5A | 01
GET DM FILE INFO | 5A | 81
GET DM STATUS INFO | 5A | 83
GET DM SUPPORT MODULE INFO | 5A | 84
GET DRIVE MAPPING TABLE | 17 | D7
GET EFFECTIVE DIRECTORY RIGHTS | 16 | 03
GET EFFECTIVE NS DIRECTORY RIGHTS | 57 | 1D
GET EFFECTIVE RIGHTS | 16 | 2A
GET ENCRYPTION KEY | 17 | 17
GET EXTENDED VOLUME INFO | 16 | 33
GET FILE BIT MAP | 55 | 00
GET FILE SERVER DATE AND TIME | 14 | 00
GET FILE SERVER DESCRIPTION STRINGS | 17 | C9
GET FILE SERVER INFORMATION | 17 | 11
GET FILE SERVER INFORMATION EX | 7B | 02
GET FILE SERVER LAN IO STATISTICS | 17 | E7
GET FILE SERVER LOGIN STATUS | 17 | CD
GET FILE SERVER MISC INFORMATION | 17 | E8
GET FILE SIZE | 47 | 00
GET FILE SYSTEM STATISTICS | 17 | D4
GET GARBAGE COLLECTION INFORMATION | 7B | 07
GET GENERAL ROUTER AND SAP INFORMATION | 7B | 32
GET INTERNET ADDRESS | 17 | 1A
GET INTERNET ADDRESS OLD | 17 | 13
GET IPX SPX INFORMATION | 7B | 06
GET KNOWN NETWORKS INFORMATION | 7B | 35
GET KNOWN SERVERS INFORMATION | 7B | 38
GET LAN COMMON COUNTERS INFORMATION | 7B | 16
GET LAN CONFIG STRINGS | 7B | 18
GET LAN CONFIGURATION INFORMATION | 7B | 15
GET LAN CUSTOM COUNTERS INFORMATION | 7B | 17
GET LAN DRIVER CONFIGURATION INFORMATION | 17 | E3
GET LOADED MEDIA NUMBER LIST | 7B | 2F
GET LOGICAL RECORD INFORMATION | 17 | F0
GET LOGICAL RECORD INFORMATION OLD | 17 | E0
GET LOGICAL RECORDS BY CONNECTION | 17 | EF
GET LOGICAL RECORDS BY CONNECTION OLD | 17 | DF
GET LSL INFORMATION | 7B | 19
GET LSL LOGICAL BOARD STATISTICS | 7B | 1A
GET MEDIA MANAGER OBJECT CHILDREN LIST | 7B | 20
GET MEDIA MANAGER OBJECT INFORMATION | 7B | 1E
GET MEDIA MANAGER OBJECT LIST | 7B | 1F
GET MEDIA NAME BY MEDIA NUMBER | 7B | 2E
GET MEMBER SET OF GROUP | 17 | 09
GET NAME SPACE ENTRY | 16 | 30
GET NCP EXTENSION INFO | 24 | 05
GET NCP EXTENSIONS LIST | 24 | 04
GET NETWARE FILE SYSTEMS INFORMATION | 7B | 03
GET NETWORK ROUTER INFORMATION | 7B | 33
GET NETWORK ROUTERS INFORMATION | 7B | 34
GET NETWORK SERIAL NUMBER | 17 | 12
GET NLM INFORMATION | 7B | 0B
GET NLM LOADED LIST | 7B | 0A
GET NLMS RESOURCE TAG LIST | 7B | 0F
GET NS DIR HANDLE PATH | 57 | 15
GET NS ENTRY INFO | 57 | 06
GET NS INFO FORMAT | 57 | 17
GET NS LOADED LIST | 57 | 18
GET NS PATH | 57 | 1C
GET NUMBER NCP EXTENSIONS | 24 | 03
GET OBJECT CONNECTION NUMBERS | 17 | 1B
GET OBJECT CONNECTION NUMBERS OLD | 17 | 15
GET OBJECT DISK RESTRICTIONS | 16 | 29
GET OBJECT EFFECTIVE RIGHTS | 16 | 32
GET OS VERSION INFORMATION | 7B | 0D
GET PACKET BURST INFORMATION | 7B | 05
GET PATH FROM DIRECTORY BASE | 17 | F3
GET PATH FROM DIRECTORY ENTRY | 16 | 1A
GET PERSONAL MESSAGE | 15 | 05
GET PHYSICAL DISK STATISTICS | 17 | D8
GET PHYSICAL RECORD LOCKS BY CONNECTION AND FILE | 17 | ED
GET PHYSICAL RECORD LOCKS BY CONNECTION AND FILE OLD | 17 | DD
GET PHYSICAL RECORD LOCKS BY FILE | 17 | EE
GET PHYSICAL RECORD LOCKS BY FILE OLD | 17 | DE
GET PRINTER QUEUE | 11 | 0A
GET PRINTER STATUS | 11 | 06
GET PROTOCOL STACK CONFIGURATION INFORMATION | 7B | 29
GET PROTOCOL STACK CUSTOM INFORMATION | 7B | 2B
GET PROTOCOL STACK NUMBERS BY LAN BOARD NUMBER | 7B | 2D
GET PROTOCOL STACK NUMBERS BY MEDIA NUMBER | 7B | 2C
GET PROTOCOL STACK STATISTICS INFORMATION | 7B | 2A
GET QUEUE JOB LIST | 17 | 81
GET QUEUE JOB LIST OLD | 17 | 6B
GET QUEUE JOB FILE SIZE | 17 | 87
GET QUEUE JOB FILE SIZE OLD | 17 | 78
GET QUEUE JOBS FROM LIST | 17 | 89
GET REFERENCE COUNT FROM DIRECTORY HANDLE | 5A | 0B
GET REFERENCE COUNT FROM DIRECTORY NUMBER | 5A | 0A
GET RELATIONOF AN OBJECT | 17 | 4C
GET SEMAPHORE INFORMATION | 17 | F2
GET SEMAPHORE INFORMATION OLD | 17 | E2
GET SERVER INFORMATION | 7B | 36
GET SERVER SET CATEGORIES | 7B | 3D
GET SERVER SET COMMANDS INFORMATION | 7B | 3C
GET SERVER SOURCES INFORMATION | 7B | 37
GET SET VOLUME DM STATUS | 5A | 86
GET SPOOL QUEUE ENTRY | 11 | 04
GET STATION NUMBER | 13 | 00
GET STATION LOGGED INFORMATION | 17 | 1C
GET STATION LOGGED INFORMATION OLD | 17 | 16
GET STATION LOGGED INFORMATION EX | 17 | 05
GET USER INFORMATION | 7B | 04
GET UTC TIME | 72 | 01
GET VOLUME AUDIT STATISTICS | 58 | 01
GET VOLUME DM STATUS | 5A | 82
GET VOLUME INFO WITH HANDLE | 16 | 15
GET VOLUME INFO WITH NUMBER | 12 | 00
GET VOLUME INFORMATION | 17 | E9
GET VOLUME INFORMATION BY LEVEL | 7B | 22
GET VOLUME NAME | 16 | 06
GET VOLUME NUMBER | 16 | 05
GET VOLUME SEGMENT LIST | 7B | 21
GET VOLUME SWITCH INFORMATION | 7B | 09
GET VOLUME USAGE | 16 | 2C
INIT AUDIT FILE READ | 58 | 18
INITIALIZE NS SCAN | 57 | 02
IS BINDERY OBJECT IN SET | 17 | 43
IS STATION A MANAGER | 17 | 49
IS USER AUDITED | 58 | 09
LOCK FILE SET OLD | 04 | 00
LOCK FILE SET | 6A | 00
LOCK LOGICAL RECORD SET OLD | 0A | 00
LOCK LOGICAL RECORD SET | 6C | 00
LOCK PHYSICAL RECORD SET OLD | 1B | 00
LOCK PHYSICAL RECORD SET | 6E | 00
LOG FILE OLD | 03 | 00
LOG FILE | 69 | 00
LOG LOGICAL RECORD OLD | 09 | 00
LOG LOGICAL RECORD | 6B | 00
LOG NETWORK MESSAGE | 17 | 0D
LOG PHYSICAL RECORD OLD | 1A | 00
LOG PHYSICAL RECORD | 6D | 00
LOGIN AS VOLUME AUDITOR | 58 | 03
LOGIN OBJECT | 17 | 14
LOGIN OBJECT ENCRYPTED | 17 | 18
LOGIN USER OBJECT | 17 | 00
LOGOUT | 19 | 00
LOGOUT AS VOLUME AUDITOR | 58 | 0D
MAP DIRECTORY NUMBER TO PATH | 16 | F3
MAP GROUP NAME TO NUMBER | 17 | 07
MAP NUMBER TO GROUP NAME | 17 | 08
MAP NUMBER TO USER NAME | 17 | 04
MAP USER NAME TO NUMBER | 17 | 03
MAP USER TO STATION SET | 17 | 02
MODIFY MAXIMUM RIGHTS MASK | 16 | 04
MOVE ENTRY | 16 | 2E
MOVE FILE FROM DM | 5A | 85
MOVE FILE TO DM | 5A | 80
MOVE QUEUE JOB | 17 | 88
NEGOTIATE BUFFER | 21 | 00
OPEN BINDERY | 17 | 45
OPEN CREATE FILE | 54 | 00
OPEN CREATE NS ENTRY | 57 | 01
OPEN CREATE NS FILE OR DIRECTORY | 57 | 1E
OPEN DATA STREAM | 16 | 31
OPEN FILE | 4C | 00
OPEN MESSAGE PIPE | 15 | 06
OPEN SEMAPHORE OLD | 20 | 00
OPEN SEMAPHORE | 6F | 00
PACKET BURST CONNECTION REQUEST | 65 | 00
PURGE ALL ERASED FILES | 17 | CE
PURGE ERASED FILES | 16 | 10
PURGE NS SALVAGEABLE FILE | 57 | 12
PURGE SALVAGEABLE FILE | 16 | 1D
READ AUDIT CONFIG HEADER | 58 | 0B
READ AUDITING BIT MAP | 58 | 0A
READ AUDITING FILE | 58 | 0C
READ AUDITING FILE 2 | 58 | 19
READ EXTENDED ATTRIBUTE | 56 | 03
READ EXTENDED NS INFO | 57 | 1A
READ NS INFO | 57 | 13
READ PROPERTY VALUE | 17 | 3D
READ QUEUE CURRENT STATUS | 17 | 7D
READ QUEUE CURRENT STATUS OLD | 17 | 66
READ QUEUE JOB ENTRY | 17 | 7A
READ QUEUE JOB ENTRY OLD | 17 | 6C
READ QUEUE SERVER CURRENT STATUS | 17 | 86
READ QUEUE SERVER CURRENT STATUS OLD | 17 | 76
RECOVER NS SALVAGEABLE FILE | 57 | 11
RECOVER SALVAGEABLE FILE | 16 | 1C
RELEASE A RESOURCE | 17 | FC
RELEASE FILE | 05 | 00
RELEASE FILE SET | 06 | 00
RELEASE LOGICAL RECORD | 0C | 00
RELEASE LOGICAL RECORD SET | 0D | 00
RELEASE PHYSICAL RECORD | 1C | 00
RELEASE PHYSICAL RECORD SET | 1D | 00
REMOVE AUDIT PROPERTY | 58 | 06
REMOVE ENTRY FROM SPOOL QUEUE | 11 | 05
REMOVE JOB FROM QUEUE | 17 | 80
REMOVE JOB FROM QUEUE OLD | 17 | 6A
RENAME BINDERY OBJECT | 17 | 34
RENAME DIRECTORY | 16 | 0F
RENAME NS ENTRY | 57 | 04
RESET AUDIT HISTORY FILE | 58 | 0F
RESET AUDITING FILE | 58 | 0E
RESTART VOLUME AUDITING | 58 | 1E
RESTORE DIRECTORY HANDLE | 16 | 18
RESTORE ERASED FILE | 16 | 11
RESTORE QUEUE SERVER RIGHTS | 17 | 75
SAVE DIRECTORY HANDLE | 16 | 17
SCAN BINDERY OBJECT | 17 | 37
SCAN BINDERY OBJECT TRUSTEE PATHS | 17 | 47
SCAN DIR ENTRY | 16 | 1E
SCAN DIR RESTRICTIONS | 16 | 23
SCAN DIRECTORY FOR TRUSTEES | 16 | 0C
SCAN DIRECTORY INFORMATION | 16 | 02
SCAN ENTRY FOR TRUSTEES | 16 | 26
SCAN FILE INFORMATION | 17 | 0F
SCAN FILE PHYSICAL | 16 | 28
SCAN NCP EXTENSIONS | 24 | 00
SCAN NCP EXTENSIONS BY NAME | 24 | 02
SCAN NS ENTRY FOR TRUSTEES | 57 | 05
SCAN NS ENTRY INFO | 57 | 03
SCAN NS NEXT SET | 57 | 14
SCAN NS SALVAGEABLE FILES | 57 | 10
SCAN PROPERTY | 17 | 3C
SCAN SALVAGEABLE FILES | 16 | 1B
SCAN VOLUME FOR RESTRICTIONS | 16 | 20
SEARCH FILE | 40 | 00
SEND BROADCAST MESSAGE | 15 | 00
SEND BROADCAST MESSAGE EX | 15 | 0A
SEND CONSOLE BROADCAST | 17 | FD
SEND CONSOLE BROADCAST OLD | 17 | D1
SEND PERSONAL MESSAGE | 15 | 04
SEND REMOTE CONSOLE OPERATION | 83 | ??
SERVICE QUEUE JOB AND OPEN FILE OLD | 17 | 71
SERVICE QUEUE JOB LIST | 17 | 8A
SET AUDIT PASSWORD | 58 | 1F
SET COMP FILE SIZE | 5A | 0C
SET DIR RESTRICTION | 16 | 24
SET DIRECTORY HANDLE | 16 | 00
SET DIRECTORY INFORMATION | 16 | 19
SET ENTRY | 16 | 25
SET EXTENDED FILE ATTRIBUTES | 4F | 00
SET FILE ATTRIBUTES | 46 | 00
SET FILE INFORMATION | 17 | 10
SET FILE SERVER DATE AND TIME | 17 | CA
SET FILE TIME AND DATE | 4B | 00
SET NS ENTRY DOS INFO | 57 | 07
SET QUEUE CURRENT STATUS | 17 | 7E
SET QUEUE CURRENT STATUS OLD | 17 | 67
SET QUEUE SERVER CURRENT STATUS | 17 | 77
SET SPOOL FLAGS | 11 | 02
SET TEMP NS DIR HANDLE | 57 | 09
SET TRUSTEE | 16 | 27
SET VOLUME RESTRICTIONS | 16 | 21
SET WATCHDOG DELAY INTERVAL | 17 | 1E
SIGNAL SEMAPHORE OLD | 20 | 03
SIGNAL SEMAPHORE | 6F | 03
SPECIFY CAPTURE FILE | 11 | 09
SPOOL DATA TO A CAPTURE FILE | 11 | 00
SPOOL EXISTING FILE | 11 | 03
SUBMIT ACCOUNT CHARGE | 17 | 97
SUBMIT ACCOUNT HOLD | 17 | 98
SUBMIT ACCOUNT NOTE | 17 | 99
SYNCHRONIZE SCHEMA | 27 | 00
TTS ABORT TRANSACTION | 22 | 03
TTS BEGIN TRANSACTION | 22 | 01
TTS END TRANSACTION | 22 | 02
TTS GET APPLICATION THRESHOLDS | 22 | 05
TTS GET CONTROL FLAGS | 22 | 09
TTS GET STATISTICS | 17 | D5
TTS GET WORKSTATION THRESHOLDS | 22 | 07
TTS IS AVAILABLE | 22 | 00
TTS SET APPLICATION THRESHOLDS | 22 | 06
TTS SET CONTROL FLAGS | 22 | 0A
TTS SET WORKSTATION THRESHOLDS | 22 | 08
TTS TRANSACTION STATUS | 22 | 04
VERIFY BINDERY OBJECT PASSWORD | 17 | 3F
VERIFY BINDERY OBJECT PASSWORD ENCRYPTED | 17 | 4A
VERIFY NETWORK SERIAL NUMBER | 17 | 0C
WAIT ON SEMAPHORE OLD | 20 | 02
WAIT ON SEMAPHORE | 6F | 02
WRITE AUDIT CONFIG HEADER | 58 | 11
WRITE AUDITING BIT MAP | 58 | 10
WRITE EXTENDED ATTRIBUTE | 56 | 02
WRITE EXTENDED NS INFO | 57 | 1B
WRITE NS INFO | 57 | 19
WRITE PROPERTY VALUE | 17 | 3E
Again, our aim here is NOT to recode Client32, however a (very little)
library of usefull NCP calls can be found under the "exploit" directory, look
for the file "panrcp.h"; besides the ncpfs project (ncpfs-2.0.0) for Linux
already provides a GNU port of Netware Client.
This listing wouldn't be complete without the return code list of Netware
severs. This list was ripped off the "Netware C library" manual by Adrian
Cunnelly (adrian@amcsoft.demon.co.uk), whose "Netware C library" shareware
version is available on the SimTel site, check for netclb35.zip.
ÉÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
ºHex ³Meaning º Hex ³Meaning º
ÌÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÎÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹
º00h ³Action Successful º 9Ah ³Renaming Across Volumes º
º ³Server Not In Use º 9Bh ³Bad Directory Handle º
º ³TTS Not Available º 9Ch ³Invalid Path º
º01h ³Server In Use º ³No more Trustees º
º ³Semaphore Overflow º 9Dh ³No More Directory Handles º
º ³TTS Available º 9Eh ³Invalid Filename º
º02h ³DOS File Not Found º 9Fh ³Directory Active º
º03h ³DOS Path Not Found º A0h ³Directory Not Empty º
º04h ³DOS Too Many Open Files º A1h ³Directory IO Error º
º05h ³DOS Access Denied º A2h ³Read File With Record Locked º
º06h ³DOS Invalid File Handle º BBh ³No Netware shell loaded º
º07h ³DOS Memory Blocks Destroyed º C0h ³No Account Privileges º
º08h ³DOS Insufficient Memory º C1h ³Login Denied - º
º09h ³DOS Invalid Memory Block Address º ³No Account Balance º
º0Ah ³DOS Invalid Environment º C2h ³Account Credit limit Exceeded º
º0Bh ³DOS Invalid Format º ³Login Denied - No credit º
º0Ch ³DOS Invalid Access Code º C3h ³Account - Too many Holds º
º0Dh ³DOS Invalid Data º C5h ³Intruder Detection Lock º
º0Fh ³DOS Invalid Drive Specified º C6h ³Not Console Operator º
º10h ³DOS Attempt To Delete Current Dirº D0h ³Queue Error º
º11h ³DOS Not Same Device º D1h ³No Queue º
º12h ³DOS No More Files º D2h ³No Queue Server º
º20h ³DOS Sharing Violation º D3h ³No Queue Rights º
º21h ³DOS Lock Violation º D4h ³Queue Full º
º80h ³File In User Error º D5h ³No Queue Job º
º81h ³No More File Handles º D6h ³No Job Rights º
º82h ³No Open Privileges º D7h ³Password Not Unique º
º83h ³IO Error Network Disk º ³Queue Servicing º
º84h ³No Create Privileges º D8h ³Password Too Short º
º85h ³No Delete Privileges º ³Queue Not Active º
º86h ³Create File Exists Read Only º D9h ³Login Denied - No connection º
º87h ³Wild Cards in Create File Name º ³Station Not Server º
º88h ³Invalid File Handle º DAh ³Unauthorized login time - º
º89h ³No Search Privileges º ³Queue Halted º
º8Ah ³No Delete Privileges º DBh ³Unauthorized login station - º
º8Bh ³No Rename Privileges º ³Max Queue Servers º
º8Ch ³No Modify Privileges º DCh ³Account Disabled º
º8Dh ³Some Files Affected In Use º DEh ³Password has expired - No Graceº
º8Eh ³No Files Affected In Use º DFh ³Password has expired º
º8Fh ³Some Files Affected Read Only º E8h ³Not Item Property - º
º90h ³No Files Affected Read Only º ³Write Property to Group º
º91h ³Some Files Renamed - Name Exists º E9h ³Member Already Exists º
º92h ³No Files Renamed - Name Exists º EAh ³No Such Member º
º93h ³No Read Privileges º EBh ³Not Group Property º
º94h ³No Write Privileges or Read Only º ECh ³No Such Segment º
º95h ³File Detached º EDh ³Property Already Exists º
º96h ³Server Out Of Memory º EEh ³Object Already Exists º
º ³Out Of Dynamic Workspace º EFh ³Invalid Name º
º97h ³No Disk Space for Spool File º F0h ³Wild Card Not Allowed º
º98h ³Volume Does Not Exist º F1h ³Invalid Bindery Security º
º99h ³Directory Full º F2h ³No Object Read Privilege º
ÈÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
ÉÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÑÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
ºHex ³Meaning º Hex ³Meaning º
ÌÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÎÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹
ºF3h ³No Object Rename Privilege º FFh ³Bad Printer Error º
ºF4h ³No Object Delete Privilege º ³Bad Record Offset º
ºF5h ³No Object Create Privilege º ³Close FCB Error º
ºF6h ³No Property Delete Privilege º ³File Extension Error º
º ³Not Same Local Drive º ³File Name Error º
ºF7h ³No Property Create Privilege º ³Hardware Failure º
º ³Target Drive Not Local º ³Invalid Drive Number º
ºF8h ³Already Attached To Server º ³Invalid Initial Semaphore Valueº
º ³No Property Write Privilege º ³Invalid Semaphore Handle º
º ³Not Attached To Server º ³IO Bound Error º
ºF9h ³No Free Connection Slots º ³No Files Found Error º
º ³No Property Read Privilege º ³No Response From Server º
ºFAh ³No More Server Slots º ³No Such Object º
º ³Temporary Remap Error º ³Bad Password º
ºFBh ³Invalid Parameters º ³Path Not Locatable º
º ³No Such Property º ³Queue Full Error º
º ³Unknown Request º ³Request Not Outstanding º
ºFCh ³Unknown File Server º ³Transaction Not Yet Written º
º ³Message Queue Full º ³No More Matching Files º
º ³No Such Object º ³Bindery Failure º
ºFDh ³Bad Station Number º ³Explicit Transaction Active º
º ³Unknown Request º ³No Explicit Transaction Active º
º ³Field Already Locked º ³No Record Found º
º ³TTS Disabled º ³Output Buffer Full º
ºFEh ³Bindery Locked º ³ º
º ³Directory Locked º ³ º
º ³Invalid Semaphore Name Length º ³ º
º ³Server Bindery Locked º ³ º
º ³Spool Directory Error º ³ º
º ³Supervisor has disabled login º ³ º
º ³Timeout Failure º ³ º
º ³Transaction ends Record Lock º ³ º
º ³Implicit Transaction Active º ³ º
ÈÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
And we're only talking 'Offical NCP calls' here, so just imagine if you add
undocumented stuff and NDS/IPX specific calls... Anyway, here are the
communication API :
-------------------------<Communication Functions>----------------------------
/* Connect and Transmit NCP requests */
/* Usage : ret=Pan_NCP_connect(server);
'server' is the file server number ?? setting server to 0 connects you
to the default server. The value returned if negative is a Pandora API
error, otherwise it's the ax value see table above.
*/
int Pan_NCP_connect(int socket);
/* Usage : ret=Pan_NCP_transmit(function,request,r_lengh,answer,a_lengh);
Use this to transmit an NCP packet via Novell Driver, parameters :
- func is the NCP Function code (subfunc. is located in request data);
- req is a pointer on a bloc of bytes (uint8) containing the request data
(subfunc., ...);
- rlengh is the lengh of the request data pointed by req;
- ans is a pointer on an initialized bloc of bytes (uint8) which will
contain the answer from the server to the request (if any);
- alengh is the lengh of the expected returned data.
The value returned if negative is a Pandora API error, otherwise it's the
ax register value see NCP error table.
*/
int Pan_NCP_transmit(int func,uint8 *req,int rlengh,uint8 *ans,int alengh);
/* Usage : ret=Pan_NCP_spoof(packet,lengh);
This function requires a packet driver on interrupt 0x60, and permits to
send fully customized packets (Network and Transport layer). Parameters :
- packet is a pointer on a bloc of bytes (uint8) containing the data to send;
- packlengh if the Total Physical Lengh of packet (Network and Transport);
This code is experimental : it works but will be replaced by something more
elaborate and more "compatible" ...
*/
int Pan_NCP_spoof(uint8 *packet,int packlengh);
-------------------------------------><---------------------------------------
_A_ Appendix A : error codes
Return code Description
------------------------------------------------------------------------------
(NULL) | Operation successfull
-100 | Password lengh exeed maximum (16 chars for Brute_Force & Dict_)
| (128 chars for Hash_Gen)
-101 | pw_first/pw_last mismatch
-102 | pw_current/pw_last mismatch
-103 | pw_first contains unauthorized chars OR pw_first/pwlen mismatch
-104 | pw_current contains unauthorized chs OR pw_curr./pwlen mismatch
-105 | Password not found (see Hash functions)
-106 | Maxtry reached (see Hash functions)
-107 | Hash is unknown
|
-200 | Error opening .NDS/.DS files
-201 | Out of memory
-202 | Out of DOS memory
-203 | NDS needs repair : cross reference encountered
|
-300 | Error opening file (Pandora/.NDS)
-301 | File read/write failure OR invalid file
_B_ Appendix B : physical file structures
For an explanation of the .NDS file structure see Inside.txt.
The two following structures are the physical equivalent to Pan_PassHack
(<-> PASSHACK) and Pan_PassList (<-> PASSLIST). We decided the use of uint8[]
blocs, this permits to write all numbers in the form of ASCII strings, thus
bypassing any Endian problem and platform dependant data representation.
Also note that all fields are multiples of 4 in bytes lengh, this is done for
the same reasons. It's ugly but effective, yet we're open to suggestions...
----------------------------<Physical Structures>-----------------------------
typedef struct passlist
{
uint8 bind[8]; /* Type of bindery object in little-endian format */
uint8 id[8]; /* Object ID from ENTRY */
uint8 parentID[8]; /* Parent ID */
uint8 objectID[8]; /* Object ID from Private Key */
uint8 pwlen_known[8]; /* TRUE or FALSE */
uint8 pwlen[8]; /* Real password length of user account */
uint8 pwhash_known[8]; /* TRUE or FALSE */
uint8 hash[16]; /* Real one-way hash of the user's password */
uint8 userOU[40]; /* OU of User in unicode format */
uint8 userCN[258]; /* User common name in unicode format */
} PASSLIST; /* size=370 */
typedef struct passhack
{
uint8 bind[8]; /* Type of bindery object in little-endian format */
uint8 id[8]; /* Object ID from ENTRY */
uint8 parentID[8]; /* Parent ID */
uint8 objectID[8]; /* Object ID from Private Key */
uint8 pwlen[8]; /* Lengh of password currently tested */
uint8 pw_first[128]; /* Password used to initialize the hack */
uint8 pw_current[128]; /* Password used when restoring a hack */
uint8 pw_last[4]; /* Limit for pw_current[0] */
uint8 hash[16]; /* One-way hash, if set to 0 => unknown */
uint8 userOU[40]; /* OU of User in unicode format*/
uint8 userCN[258]; /* User common name in unicode format */
} PASSHACK; /* size=614 */
-------------------------------------><---------------------------------------
A final word. You are very welcome and encouraged to contribute to the
project; Moreover, since this is GNU licensed, it is courteous ( if not
required ;-) ) to notify us with any changes you make to or tools you build
with the Pandora API.
Happy Coding !
(c) Nomad Mobile Research Center
www.nmrc.org
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed